Help! I am drowning in an audit!
Few words strike fear in hearts like the word Audit, especially around tax time. It’s no different when it comes to an IT audit. There you are fighting the daily fight – processes that didn’t complete, the server that went down, trying to make progress on that new project – when the phone rings. The next thing you know someone you never heard of is asking all kinds of questions and requesting logs, configuration files, and all kinds of evidence. And the first thing that comes to your mind is, “What does he need that for?”
Why do we need an audit anyway?
An audit is the process of making sure you are following the rules. It’s an unfortunate result of a world that sometimes cuts corners. After all, not everyone is as honest as you and I. That’s why the auditor guy called. The purpose of the audit is to ensure the adequacy of controls used to protect data and to gather impartial evidence.
But what is really confusing is why auditors ask for the things they do. Most of the questions auditors have are the same (for the most part) regardless of the reason for the audit. PCI, HIPAA, FISMA, state privacy audits all need to look at the organization’s process for controlling access, how it collects log data, who logged on to a particular system. A PCI auditor might use different language from a HIPAA auditor, but that is because the regulations use specific terms – terms that generally mean the same thing.
So what do auditors really want?
Just for clarification – an assessment looks for weaknesses that might be exploited. An audit is an attempt to compare existing controls to a standard. Typically, an auditor starts with the standard in question. This requirements document describes what controls the auditor must investigate. In general terms, the auditor is looking for:
- A published policy – A statement that describes the control, its purpose, responsible individuals/groups, how the policy is maintained and published, and evidence that it is applied.
- A viable process – The process or procedures that implement the policy. What steps are to be followed, who does what, what records confirm that the process was followed?
- Evidence that the Control is enforced – This is where he reviews logs, vulnerability scans, etc.
- Finally, the auditor assembles this information and makes a determination on the effectiveness of the control and its application. That determination becomes part of the auditor’s report that is submitted to senior management and appropriate external entities.
For specific information, see the other compliance pages on SVT’s web site.